Tech Tip: Risk management balances functionality and security

By Mike Mullins

Network security is a balancing act among security, user functionality, and speed. In order to justify a reduction in operational ability—such as turning off ActiveX—you must identify specific actions that will produce a more secure environment for corporate assets and users.

Companies of all sizes can and should use the principles of risk management to identify threats, determine vulnerabilities, and implement courses of action. IT budgets for many organizations have been shrinking recently. You owe it to your employer to stretch those IT dollars: Identify security risks and demonstrate how eliminating or mitigating that risk will positively impact the bottom line.

The cornerstone of risk management is a security risk assessment. A risk assessment has three steps: determine network value, define the threat, and determine vulnerability.

Risk assessment process

Determine network value
When assessing the value of your company's network assets, remember to consider both the tangible and intangible costs. Ask questions such as:

  • How does system failure impact revenue?
  • What manpower costs are associated with network restoration?
  • How much would it cost to recreate the information stored on your network?
  • What is the financial liability if the information on your network were compromised?

Define the threat
Your network and its data are vulnerable to environmental, internal, and external threats. You must address each type of threat and identify as many possible risks as you can.

Most admins are fairly aware of environmental threats; they don't put their data center in a flood zone or place critical servers underneath a sprinkler system. Insider threat is often well defined as well. These types of threats are common and readily identifiable.

When defining external threats, determine who would gain by destroying the confidentiality of data—whether it's patient records or credit card numbers—through unauthorized access. Perhaps a competitor is seeking information on your customers, or an exploring cracker decides to modify or change your data and destroy its integrity and/or availability.

Determine vulnerability
Vulnerability is the likelihood that a threat you've identified will occur. Categorize your level of vulnerability to each identified threat.

  • How likely is the threat? (Are you a high profile target within your industry?)
  • How feasible is the threat?

Many people agonize the most over vulnerability assessment. My advice is to think in practical terms.

Implementing solutions

The final step in the risk management process is implementing a secure solution. Your solution might involve a major effort such as user or admin training, network redesign, or an investment in security hardware. Or your solution could be as simple as turning off unneeded services on the vulnerable asset or testing and implementing a service patch.

As you consider assessing the threat against your network, you might find a sample helpful so that you can see how a risk assessment works within the network security framework. So, let's say that the security admin for a nationwide auto body repair shop decides to do a network risk assessment. The repair shop's network primarily maintains employee time and attendance records and customer car repair information. Connections to the Internet are for e-mail and Web traffic only. The repair shop's finished risk assessment might look like this.

Determine network value—If the network were eliminated, mechanics could still fix cars and customers wouldn't suffer if a hacker learned their tires were out of alignment. However, without the network, it would take an additional four hours per pay period, per site to calculate time and attendance.

Define the threat—Beyond environmental and insider threats, the most likely threat is from a passing black hat or script kiddie.

Determine vulnerability—The network is vulnerable to hostile Web traffic and e-mail-borne viruses.

Solution—The simple, low-cost solution is to implement an antivirus solution for workstations and restrict ActiveX, Java, and scripting at workstations. Additionally, restrict outbound traffic to http, https, DNS requests, and SMTP at the network boundaries. Inbound traffic should consist only of established traffic, return DNS queries, and SMTP.

Final thoughts

If a solution lies within your job responsibility, take action. If the solution has a price tag, move the decision to someone who has financial responsibility for the network. Don't expect a manager to approve a million-dollar solution to protect $50,000 worth of data and hardware.

The risk management process is an important part of designing and operating a secure network. In conducting a risk assessment, you might discover that your network is underprotected and you need additional hardware, software, or admin and/or user training to defend it. At the very least, your analysis will prove that you're protecting your network with due diligence.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks